diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
index 16edc4a41..5e5507c01 100644
--- a/lib/sprockets/server.rb
+++ b/lib/sprockets/server.rb
@@ -114,7 +114,7 @@ def forbidden_request?(path)
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        path.include?("..") || absolute_path?(path)
+        path.include?("..") || absolute_path?(path) || path.include?("://")
       end
 
       def head_request?(env)
diff --git a/test/test_server.rb b/test/test_server.rb
index d71bc9994..b65ad809d 100644
--- a/test/test_server.rb
+++ b/test/test_server.rb
@@ -286,6 +286,13 @@ def app
     assert_equal "", last_response.body
   end
 
+  test "illegal access of a file asset" do
+    absolute_path = fixture_path("server/app/javascripts")
+
+    get "assets/file:%2f%2f//#{absolute_path}/foo.js"
+    assert_equal 403, last_response.status
+  end
+
   test "add new source to tree" do
     filename = fixture_path("server/app/javascripts/baz.js")